Local inclusion vulnerability caused by Velocity Parse () function and its exploitation method

I. background and description
Velocity is a java-based template engine that allows anyone to reference objects defined by java code simply using the template language. We know that the more powerful the rendering layer language with rich functions (in a sense, PHP can also be classified as a rendering layer Language), the more security problems it brings.
Some people think that velocity cannot write java code like jsp, And it is strictly isolated by mvc, so it is quite safe. So please read this article. I believe you will not continue to think so after reading it :)
2. What is a local vulnerability (LFI)
Local inclusion (LFI) is a classic web hacking technology. Attackers aim to introduce controllable files containing malicious code and execute them in the rendering layer Language. Due to language features (such as include and require functions), this vulnerability occurs frequently in PHP.
Three Velocity Parse () Functions
Official definition: The # parse script element allows the template designer to import a local file that contains VTL. Velocity will parse the VTL and render the template specified.
In short, the Parse () function is used to introduce a template containing VTL.
Common usage:
# Parse ("me. vm ")
Similarly, the Include () function is easy to confuse, but it should be noted that the content of the file imported by the include function is not processed by the template engine.
Common usage
# Include ("one.txt ")
However, in actual code development, many programmers concatenate variables and write the following code (there are many real cases, not YY ):
# Parse ("$ {path}. vm ")
Therefore, the vulnerability occurs when the Path variable is controllable.
Iv. Condition of exploits
1. Variable users in parse are controllable
2. The template reading of velocity is not limited to the web directory.
3. can intercept www.2cto.com
In particular, the last two conditions seem very harsh.
But if you study it carefully, you will find that many architects will not limit the velocity template directory to the WEB-INF or even Webapp Directory, which brings us the possibility of using.
Therefore, in velocity. properties, configurations similar to the following are dangerous.
Resource. loader = file
File. resource. loader. class = org. apache. velocity. runtime. resource. loader. FileResourceLoader
File. resource. loader. path =/opt/templates
File. resource. loader. path =/home/myhome/other_root_path
Method 5
There is no big difference from traditional LFI utilization. In summary, there are only three types
1. File redirection read sensitive information
Http://test.com/index.php? Page =.../../etc/passwd % 00
2. Upload jpg and other files containing malicious vtl code at the upload point, and then include the files through LFI so that normal files can be parsed by vm.
3. Modify the http packet and carry malicious VTL code in the request url or user-agent, and then include accesslog or/proc/self/environ for resolution.
Next we will start to practice, which is also one of the classic LFI exploitation methods.
Step 1 Insert the following code into the image file:
# Set ($ exec = "thanks") $ exec. class. forName ("java. lang. Runtime" 2.16.getruntime(cmd.exe c ("calc ")
Step 2 upload images to the server
Step 3 perform directory jump and % 00 truncation through local vulnerability points



 
Six defense methods
1. Configure the velocity. properties file as follows:
Resource. loader = webapp
Webapp. resource. loader. class = org. apache. velocity. tools. view. servlet. WebappLoader
Webapp. resource. loader. path =/WEB-INF/vm/
2. filter parameters submitted by the user ./
Seven summary
There is not much research on java security in China. The obvious example is the struts vulnerability, which has never been noticed until a program was used before.
The most important thing about security is the idea,The vulnerability does not only occur in PHP., Hope this article can become a revelation

Author: Thanks www.freebuf.com